Hardware/Software Solution to Improve Security in Mobile Ad-hoc Networks

Sirisha Medidi, José G. Delgado-Frias, and Hongxun Liu School of Electrical Engineering and Computer Science, Washington State University, Pullman, WA 99164-2752

10.1 Introduction Ad hoc networks are the preferred means of communication where infrastructure is not available in hostile environments for information gathering and time critical decision-making activities. Additionally it would helpful if networks are able to support secure communication while maintaining a high level of network performance. Ad hoc networking opens up a host of security issues, including: (1) Wireless links are especially vulnerable to eavesdrop. This may give an adversary access to secret/private information. (2) Establishing trust among the communicating parties is difficult. There is no centralized infrastructure to manage and/or to certify trust relationships. This is compounded by the fact these networks are often very dynamic –with nodes free to join and leave at will– and thus having network topology and traffic changing dynamically. (3) Malicious nodes are difficult to identify by behavior alone. Many perfectly legitimate behaviors in wireless networking may seem like an attack. (4) Selfish behavior or node misbehavior is also likely. Due to node limitations/constraints nodes may opt to go into selfish mode. Achieving security for ad-hoc networks – To achieve a secure ad-hoc network will undoubtedly require a more comprehensive approach with more sophisticated resources that are integrated into the informationgathering strategies of wireless ad-hoc routing protocols. The proposed approach takes a thorough look at secure wireless ad-hoc networking from a real-time perspective. We propose to incorporate design for security (or design for intrusion-intolerance) as an integral part of the ad-hoc networks operational specification. The integration includes augmentation

206

Medidi, Delgado-Frias and Liu

of protocols with security and Quality-of-Service (QoS) primitives. Rather than relying on technologies designed for wired networks and currently implemented at the network layers on wireless systems, we believe that multiple strategies are needed to make ad-hoc systems wirelessaware, efficient, and secure. Handling malicious or unreliable node – There are three steps in handling a malicious node: detect malicious behavior, identify the malicious node, and remove the undesirable node from the network or otherwise cope with it. Ideally techniques to mitigate the effects of malicious or unreliable nodes should: (i) require no modification to protocols, (ii) work with existing routing protocols, (iii) have minimal or no security associations that require the cooperation of other nodes in the network, and (vi) not contribute itself for further attacks on the communication and the routing protocols. Hardware Monitor – Behavior monitoring by software alone definitely is effective in the detection mechanism. However, false positives could be higher due to the evolving nature of the ad-hoc networks. Furthermore, software based detection can not prevent some malicious nodes from making false indictment to other nodes. Actually, in the mobile ad-hoc environment, it is very difficult to build a trust relationship among the mobile nodes. To have a control on this issue and to further enhance the security of the network, a hardware monitor that provides information to the software layers that is independent of the node’s software would be extremely valuable. The hardware monitor can be made tamper resistant and provide trustworthy information to the network. The results provided by the hardware monitor can be used by a reputation system. When there are conflicts between the detection results from the hardware monitor and software monitor, the results sent by the hardware monitor are selected. The hardware monitor should ideally provide the software layers information about: (i) malicious packet drop, (ii) malicious misroute, and (iii) bogus routing information. Routing problem – Spurious route requests by malicious nodes could cripple the network by introducing broadcast-storm and route-reply storm problems. It is desirable to find a route that has a higher likelihood of surviving over a period of time in spite of node mobility and that has better network resources. Providing routes that are stable based on route statistics could reduce communication disruption time. For effective performance, one needs these features in the routing protocol (all must be energyefficient): (i) mechanisms to distinguish between false and valid route requests, (ii) ability to adapt to dynamically changing QoS requirements such as battery life, signal strength, bandwidth and latency, and (iii) adaptive mechanisms to detect intrusions and non-cooperative or selfish behavior.

Hardware/Software Solution to Improve Security

Node j

207

Node i

Upper layers

Node’s hardware

Upper layers

Software monitor

Hardware monitor

Software monitor

Routing algorithm

Routing cache monitor

Routing algorithm

Fig. 10.1. Relationship between software/hardware monitoring and routing

Our Approach – Once undesirable behavior is detected, the malicious nodes will be identified and isolated: doing this leads to secure and QoSaware routing protocols that strengthen the process of identifying and isolating undesirable nodes. The strength of our approach lies in our ability to incorporate a hardware-monitoring scheme, which is independent of software monitoring techniques. This in turn provides a considerable advantage over existing hardware only or software only techniques. The proposed research aims at developing solutions for misbehavior detection for datagram traffic in addition to the common techniques that are based on TCP (transport control protocol) traffic without any additional security associations that is more common in other solutions. The status information from the hardware monitor will be effectively used in routing decisions to improving the network security as well as the performance.

10.2 Background and Related work 10.2.1 Detection, identification, and isolation of malicious nodes “Watchdog” [4] is a technique in which each node “snoops” the retransmission of every packet it forwards. If the watchdog detects that a node has not correctly retransmitted the packet, it raises a warning. This requires omni-directional antennas. We developed an unobtrusive monitoring technique, [1, 2, 3] which relies on readily available information at different

208

Medidi, Delgado-Frias and Liu

network levels to detect malicious nodes. The strength of the method is that a single source node can use it without relying on others, making it easy to implement and deploy. Further, there is also no need for security associations between the nodes. Local data such as route request and route error messages, ICMP time exceeded and destination unreachable messages, and TCP timeouts are used to detect misbehavior. Finally, the information is processed to determine if any malicious activity is taking place. In case of undesirable activity, the node is alerted so that it can act. Currently the technique can identify Byzantine faults such as packet drop attack and misrouting. Experiments were conducted using an ns-2 network simulator (details in [1, 2, 3]). The detection effectiveness improves with increase in the percentage of malicious nodes. We have proposed techniques to improve the performance of nodes in a network by means of novel hardware. This includes buffer schemes that use more efficiently the buffer space in a multiple port node [6]. We proposed an original high-performance cache technique for routing [7, 8, 9]. This technique takes advantage of temporal and geographical locality of packets. T. Chiueh and P. Pradhan [10] proposed to use a conventional cache; this approach has problems with collations due to its associability limitations.

10.2.2 Secure and QoS-aware routing To achieve optimal availability, routing protocols should be robust against both dynamically changing topology and malicious attacks. Routing protocols proposed so far do not handle security and quality of service within the same protocol. Routing protocols proposed for ad-hoc networks cope well with a dynamically changing topology [11], but none can defend against malicious attacks. We proposed a source-initiated ad-hoc routing protocol (QuaSAR) [12] that adds quality control to all the phases of an on-demand routing protocol. QuaSAR gathers information about battery power, signal strength, bandwidth and latency during route discovery and uses it in route choosing. Also, our approach has proactive route maintenance features in addition to the reactive maintenance. Simulation experiments confirm that QuaSAR performs better than Dynamic Source Routing (DSR) in terms of throughput and delivery ratio [12].

Hardware/Software Solution to Improve Security

209

10.3 Comprehensive Software/Hardware Schemes for Security in Ad-hoc Networks In this section we present our proposed approach to security and QoS in Ad-hoc networks. We have divided this proposed research ideas into two broad categories: (i) Misbehavior detection, identification and isolation of malicious nodes, and (ii) Secure, QoS-aware routing.

10.3.1 Detecting misbehavior, identifying and isolating malicious nodes 10.3.1.1 Software Monitoring

The algorithms we have developed for misbehavior include detection of packet dropping and packet misrouting done offline by analyzing the simulation traces. Algorithms to detect attacks on routing protocols also need to be developed. Techniques such as varying both detection interval and alert threshold will decrease false positives. To further generate triggers for potential attack scenarios or intrusions on the routing protocol, one can use a model-based pattern analysis technique that is loosely based on an expected model of behavior of the routing protocol being used. This can be done modeling the protocol activities as a finite state machine, identifying the sequence of unusual state changes, and getting information from the hardware monitor. Certain learning mechanisms will be incorporated to help with identifications. These techniques will help detect both noncooperative and selfish behaviors such as nodes that refuse to provide routing service to others (perhaps to conserve battery power) but also ask for and accept service when in need. Experimental results from ns-2 simulations can be used to fine-tune the system. One good way to identify malicious nodes is for each node to initiate the identification process by itself. We can use TCP time out, ICMP destination unreachable message, and route error messages to narrow the malicious node to a set of two nodes. Once the malicious nodes are identified, the source nodes can use this information in their routing decisions. 10.3.1.2 Hardware Monitoring

We propose a novel hardware based node monitoring approach. In this approach a number of monitoring schemes are implemented in hardware. These monitors are kept independent from the software layer of the same node. Even though the software could be compromised by a virus or user, the hardware is made tamper resistant. After the hardware detects the software’s misbehavior,

210

Medidi, Delgado-Frias and Liu

it will report such information to other nodes. Upon receiving the warning message, the other nodes can lower the rating the misbehaving node or even isolate the node from the network. The hardware schemes observe traffic through the node, status of queues, and status of neighboring nodes. The hardware monitor provides information about the node’s potential underperformances to its neighbors. The information that is passed on to other nodes includes: packet drop rate above a preset threshold, input queue full rate, and routing modification. Software solutions are usually good at identifying communication paths that may include a malicious node in ad-hoc networks. But, these solutions have problems in pinpointing the exact node that is misbehaving. In these cases, the proposed hardware monitoring technique can help software to identify these nodes and, above all, the potential cause of the problem. Hardware detects the malicious behaviors through the mechanism called internal monitoring. A hardware monitor observes the behavior of the node’s software and reports to neighboring nodes accordingly. When the software layer drops packets, the hardware monitor determines the drop rate and reports this node to other nodes in the same ad-hoc network if the drop rate reaches a pre-defined threshold value. The assumption is that all the mobile nodes have the proposed hardware. The implementation of internal monitoring is through an adaptive drop counter that records the packet-dropping rate of the software layers. The counter records the number of packets dropped during a given period of time. If the counter reaches or exceeds a threshold value, a reporting mechanism is triggered. Both the period of time and the threshold are adaptive. They can be adjusted according to the traffic and other factors. For example, the detection period could be shortened for a heavy burdened node. A concrete implementation is described in the following two-timer scheme which is based on DSR. In the two-timer scheme, there are two timers, Detection Timer and Reward Timer, in addition to the drop counter. The Detection Timer (DeT) is used to detect if the wireless node forwards a received packet during the detection period. A received packet will first arrive at the hardware layer and trigger this timer. Then the packet will be passed to the software layer of the same node. The software layer of a good-behaving node will process the packet and forward the packet according to the content of the packet. If the node never forwards the packet and DeT expires, the value of drop counter is increased by 1. If the node’s DeT keeps incrementing the counter, the drop counter of a misbehaving node will reach a predetermined threshold, thus triggering the warning message to be sent. The other timer, Reward Timer (RwT), is used to reward the goodbehaving node during the route discovery process of DSR. During the

Hardware/Software Solution to Improve Security

211

process of route discovery, the route request packet is usually sent through broadcast, which will cause the same route request packet to be received several times by a single node. As shown in Fig. 2, when node A receives a route request packet and broadcasts that packet, its neighbor B will receive and broadcast the packet. Due to the nature of broadcast, Node A will receive the same route request packet again from node B. If node A has a few neighbors within its transmission range, it is likely that A will receive a few duplicate route requests. To compensate for such irregularity, after a good-behaving node forwards a route request, the node will be rewarded a grace period by means of Reward Timer (RwT) during which the node could “drop” the duplicate route request without being penalized. As shown in Fig. 3, a wireless node receives a route request packet A (RRPA) which starts the DeT. During the period of DeT, the RRPA is forwarded, which starts the RwT. Then the three duplicate RRPA received during RwT will not be counted as new packets and dropping the three duplicate RRPA will not increase the drop counter. On the other hand, if the RRPA is not forwarded during the period of DeT, there will not be RwT. Then the duplicate RRPA will be counted as new packets and the dropping of these duplicate RRPA will increase the drop counter.

A

B

C

Fig. 10.2. A simple wireless ad-hoc Network Route Request Packet A (RRPA)

RRP

DeT

Duplicate Duplicate Duplicate RRPA RRPA RRPA

RwT

time

Fig. 10.3. The functions of DeT and RwT during the processing of route request packet

212

Medidi, Delgado-Frias and Liu

A number of simulations are run to evaluate the performance of twotimer scheme. Two metrics are used in the evaluation process: Detection Effectiveness and False Positive. Detection Effectiveness measures how well the two-timer scheme performs in identifying the misbehaving nodes. The detection effectiveness is measured as follows. DetectionEffectiveness =

Detected _ nodes × 100 Total _ misbehaving _ nodes

In the formula above, detected_nodes are the misbehaving nodes that have been identified. For example, if the scheme detects all of the misbehaving nodes in the network, the detection effectiveness is 100%. On the other hand, if it cannot detect any misbehaving node, the detection effectiveness is 0%. Some good-behaving nodes may be misidentified as misbehaving nodes; this is called False Positive. It is measured as the number of good but detected misbehaving nodes divided by the total number of detected misbehaving nodes. FalsePositive =

missclassified _ missbehaving _ nodes × 100 Detected _ nodes

The detection object would be to have 0% false positive and 100% detection effectiveness. But this in turn is extremely difficult to obtain. Our goal in this study is to keep false positive at 0% and try to get the detection effectiveness as high as possible. Having a number of good nodes being misclassified has a negative effect on the overall performance of the network. On the other hand, some nodes that have the potential of misbehaving may not be involved in any communication path. This in turn makes those nodes difficult to detect and having minimum impact on the network performance. Thus, our goal is to get very low false positive, followed by high detection effectiveness. In the simulations, the percentage of misbehaving nodes ranges from 10% to 40%, with an increment of 10%. For each percentage of misbehaving nodes, 100 times of simulations are run. The simulation results are shown in both Table 1 and Fig. 4.

Hardware/Software Solution to Improve Security

213

Table10.1. Simulation results

Detected Misbehaving Nodes (%)

10%

20%

30%

40%

0-60

8

6

4

6

60-70

5

0

5

3

70-80

0

2

5

3

80-90

12

7

14

12

90-100

0

15

16

21

100

75

70

56

55

Percentage of Misbehaving Nodes

Number of simulations

100 80 60 40 0-60 60-70 70-80 80-90 90-100 100%

20 0 10%

20% 30% Misbehaving nodes

40%

Fig.10.4. Simulation results with 0% false positive

In Fig. 4, there are four columns. Each column corresponds to a percentage of misbehaving nodes in the simulation. As mentioned earlier, for each percentage of misbehaving nodes 100 simulations are run. As shown in Fig. 4, the scheme can detect 80% or above misbehaving nodes in all the percentages at a probability of almost 90%. For all the percentages, they have perfect detections at a probability of at least 55%. An interesting phenomenon is that the probability of perfect detection decreases as the percentage of misbehaving nodes increases. One reason is that more misbehaving nodes lead to more separated networks. In such cases, there is no enough traffic to pass the misbehaving nodes while the two-timer scheme

214

Medidi, Delgado-Frias and Liu

needs a relatively connected network. Another reason is that as the percentage of misbehaving nodes increases the number of packets resent increases, leading to longer response time for the good-behaving nodes. The two-timer scheme proposed has the following features: High detection of misbehaving nodes – The proposed scheme can detect 80% or above misbehaving nodes with a probability of almost 90%. Zero false positives – The two timers are set to achieve a 0% misclassification of good-behaving nodes as misbehaving nodes. Minor changes to software layer – The proposed scheme requires very little change to the present software layer and can be easily implemented at the hardware layer due to the simple nature of the scheme. The simulation results show that the two-timer scheme can detect misbehaving nodes accurately in terms of detection effectiveness and false positive. Currently, we are conducting some enhancements to the twotimer scheme and designing other more efficient hardware scheme to detect packet dropping. Another hardware monitor checks the input buffer to determine the time that this buffer is full. This is an important issue since packet dropping may be due to lack of memory resources. If the time that the buffer is full is higher than a threshold value, the hardware will report this to other nodes. This in turn will indicate to other nodes that the current node can not keep up with handling too many packets and it is not a malicious node. Besides the packet dropping monitor and buffer monitor, the misrouting monitor is responsible to detect packet misrouting. For example, a few misbehaving nodes can collude with each other and send forwarding packets to each other by modifying the routing information inside the packets. Detecting colluding nodes using software scheme usually time consuming and very complicated. Using hardware monitor to detect misrouting can relieve the software from such complicated work. The misrouting monitor needs to detect such misbehavior and report the detection results to other nodes. The other nodes can use the information received to isolate the colluding nodes from the network. Currently, we are working on combining misrouting monitor with the packet dropping monitor. 10.3.1.3 Software/Hardware Monitoring

The software monitoring will enable us in detecting, identifying and isolating malicious nodes. Through the help of hardware monitoring, the software layer will be assisted to make a more precise determination of malicious nodes and the causes of potential problems. The software layer will

Hardware/Software Solution to Improve Security

215

determine the actions that need be taken to avoid malicious nodes and to improve throughput, quality of service, and/or reliability. It should be pointed out that hardware flow monitor makes no decisions rather it provides independent information to its own node and adjacent nodes. Novel algorithms are going to be developed that take into account this additional information. Since there is a new independent source of information, the new algorithms for detecting, identifying and isolating malicious nodes will be more precise with far fewer false positive outcomes. Our groundwork on this project has yielded extremely positive results that need be fully studied and integrated in the proposed research.

10.3.2 Secure, QoS-aware routing 10.3.2.1 Software Techniques

To achieve IETF (Internet Engineering Task Force)-compatible protocol specification of the secure routing, we propose extensions of DSR that encapsulate source routing capabilities, but with minimal changes and overhead. Messages such as route request (RREQ) and route reply (RREP) need to be augmented to reflect the malicious nodes or suspicious activity by the nodes in the path, and also quality of service requirements. Above and beyond format specification, a key technical challenge lies in managing RREQ implosion (the “broadcast storm” problem). Some of the techniques we employed in quality of service routing [12] can apply to secure routing. A second issue is the route reply storm problem that is created due to the number of routes that are sent back to the source. Selective route replies that we developed in [12] can be adapted to alleviate this problem. A third issue is that there needs to be a proactive mechanism to preempt route breaks arising due to signal strength weakening (when the mobile node moves out of range), battery power depletion, and memory shortage (node becomes selfish and drops packets). One way to address this is to send a route change request (RCR) to find a new route. In [13], a proactive mechanism is proposed to preempt route breaks based on signal strength measurements. This idea can be enhanced to also include route breaks due to low battery power and memory shortage. Finally, one can incorporate learning mechanisms in the routing process to detect intrusions including spurious route requests and non-cooperative or selfish behaviors. The knowledge gained through our misbehavior detection and identification process will be integrated with the routing decisions to further improve the routing performance. Testing and refining these protocols and algorithms in an actual ad-hoc network test-bed would provide us insight into how the proposal works.

216

Medidi, Delgado-Frias and Liu

10.3.2.2 Hardware Support

Routing cache monitor is another innovative technique to observe and report changes in the routing. As a routing path is established, information about this path is inserted in a cache memory. As packets for this path pass through the node, the cache checks packet forwarding. If the routing is changed, this may trigger a reporting mechanism of a potential problem. Our cache technique takes advantage of temporal and geographical locality of the packets [8]. When bogus routing information is reported, the routing protocol incorporates this into its routing decisions. We anticipate that using this additional information will further enhance the security and performance of the network.

10.4

Implications and Future Research

In this paper, we make a case that to realize secure communication in adhoc networks, it is necessary to develop comprehensive techniques to detect, identify and isolate malicious nodes in the network and then integrate this information into routing decisions. Based on our preliminary results and our experience, we believe such integration would not only improve the security of the network but also its performance. In our experience, software only solutions have given us good detection effectiveness in terms of malicious behavior detection and reasonable false positive level. Providing an independent source of monitoring with hardware integrated into the software layers would greatly reduce the false positives and increase the detection effectiveness of our techniques. We have included a simple, but yet powerful, two-timer scheme. This scheme is capable of detecting a large percentage of misbehaving nodes while keeping false positive detection to zero. Further using route-cache monitor would greatly enhance routing security. This multi-layer hardware/software approach will significantly enhance the security and performance of mobile ad-hoc networks. As explained in this paper, we have came to the conclusion that having two independent monitors (software and hardware monitors) could lead to a significant enhancement of security and performance of mobile ad-hoc networks.

Hardware/Software Solution to Improve Security

217

References 1. S. Medidi, M. Medidi, S. Gavini (2003) Detecting Packet Dropping Faults in Mobile Ad-hoc Networks. In Proc. of IEEE ASILOMAR Conference on Signals, Systems and Computers, volume 2, pp. 1708–1712 2. S. Medidi, M. Medidi, S. Gavini, R. L. Griswold (2004) Detecting Packet Mishandling in MANETs. In Proc. of Security and Management Conference, pp. 40–44 3. R. L. Griswold, S. Medidi (2003) Malicious Node Detection in Ad-hoc Wireless Networks. In Proc. SPIE AeroSense Conference on Digital Wireless Communications, volume 5100, pp. 40–49 4. S. Marti, T. J. Guili, K. Lai, M. Baker (2001) Mitigating routing misbehavior in mobile ad hoc networks. In Proc. of ACM SIGCOMM, pp. 255–265 5. S. Buchegger, J. Y. Le Boudec (2002) Nodes bearing grudges: Towards routing security, fairness, and robustness in mobile ad hoc networks. In Proc. of the Parallel, Distributed and Network-based Processing, pp. 403–410 6. J. Liu, J. Delgado-Frias (2005) DMAQ Self-Compacting Buffer Schemes for Systems with Network-on-Chip. In Proc. of Int. Conf. on Computer Design, pp. 97–103 7. J. Nyathi, J. G. Delgado-Frias (2002) A Hybrid Wave-Pipelined Network Router. In IEEE Transactions on Circuits and Systems, 49(12): 1764–1772 8. J. J. Rooney, J. G. Delgado-Frias, D. H. Summerville (2004) An Associative ternary cache for IP routing. In Proceedings of IEE Section E: Computers and Digital Techniques, volume 151, pp. 409–416 9. D. H. Summerville, J. G. Delgado-Frias, S. Vassiliadis (1996) A Flexible BitAssociative Router for Interconnection Networks. In IEEE Transactions on Parallel and Distributed Systems, 7(5): 477– 485 10. T. Chiueh, P. Pradhan (2000) Cache Memory Design for Internet Processors. In 6th Symposium on High Performance Computer Architecture (HPCA-6), Toulouse, France 11. D. B. Johnson, D. A. Maltz, Y. C. Hu, J. G. Jetcheva (2003) The dynamic source routing protocol for mobile ad hoc networks (DSR). Internet draft, www.ietf.org/proceedings/03mar/I-D/draft-ietf-manet-dsr-08.txt 12. S. Medidi, K. Vik (2004) QoS-Aware Source-Initiated Ad-hoc Routing. In Proc. of IEEE Conference on Sensor and Ad Hoc Communications and Networks, pp. 108–117 13. T. Goff, N. Abu-Ghazaleh, D. Phatak, R. Kahvecioglu (2001) Preemptive routing in ad hoc networks. In Journal of Parallel and Distributed Computing, 63(2): 123–140